Last week I presented my research at CISAC’s science seminar. The presentation went well: attendance was good, I enjoyed talking about my stuff, and there were some nice discussions at the end.
In the first half of the presentation, I explained the challenges in regulating resilience, using examples from my doctoral dissertation to explain the difference between traditional risk management approaches and resilience approaches to risk management; presenting a model (drawing on Charles Perrow’s normal accident theory) of how technological change creates complex risks that necessitate resilience approaches; and showing how regulations might retard the technological change-risk creation process. I then used the model as a basis for presenting my work, touching on how the CIP standards affect cybersecurity of the electric system from a perspective of what they covered (scope), how they affected actor decision-making (functionality), and how they changed in relation to evolving cyber-risk contexts (adaptation).
I was surprised with how beneficial giving this presentation was. I’d only had a couple weeks of analysis before the presentation, and was worried that as a result my presentation would be too raw, too poorly planned, and too sloppily executed (academics tend to like to be very confident in their findings before they present). Instead of spending months doing analysis, I had to do a rough and dirty analysis to get the gist of the findings, and then present that gist in front of an audience of people, many of whom had a strong background in my area of research. Discussions with them helped me see which areas were strong, which were weak, and which needed more research, giving me a more clear path forward. I’ll now be working on refining my results basically for the rest of the summer.